Releases: winhowes/AuthTranslator
Releases · winhowes/AuthTranslator
v0.2.11
Changelog
v0.2.11 is a platform secret-store and toolchain maintenance release that adds OS-native desktop secret backends, hardens their edge-case handling, and updates AuthTranslator's CI and release toolchain.
Highlights
- Added OS-native secret backends for macOS Keychain (
keychain:), Linux Secret Service (secretservice:), and Windows Credential Manager (wincred:), with documentation and unit coverage. - Fixed CLI-backed secret handling so macOS Keychain output drops only the command-added final LF while preserving valid trailing secret bytes, and Linux Secret Service preserves exact
secret-tooloutput bytes. - Added Windows Credential Manager decoding coverage and non-Windows unsupported-path coverage so the backend behaves predictably across platforms.
- Updated GitHub Actions dependencies to Node 24-compatible pinned versions.
- Bumped the module, test workflow, and release workflow to Go 1.26.2.
Included PRs
v0.2.10
Changelog
v0.2.10 is a focused observability follow-up release that makes AuthTranslator’s Prometheus metrics self-describing so Grafana and PromQL treat them with the right counter and histogram semantics.
Highlights
- Declared the built-in
authtranslator_*_totalmetric families as Prometheus counters in the exporter output. - Declared
authtranslator_request_duration_secondsas a Prometheus histogram in the exporter output. - Added regression coverage to ensure metric type metadata is emitted alongside the existing metrics samples.
- Updated the example metrics plugin and metrics plugin docs so custom counters emit matching
# TYPElines too.
Included PRs
- #625 Declare Prometheus metric types
v0.2.9
Changelog
v0.2.9 is a targeted observability release focused on making proxy-generated failures easier to track without adding tracing overhead.
Highlights
- Added
authtranslator_internal_responses_total{integration,code,reason}to expose proxy-generated non-upstream responses with bounded reason
labels. - Expanded
authtranslator_auth_failures_totalto count outgoing auth failures in addition to incoming auth failures. - Documented the new metrics and added PromQL/Grafana guidance for monitoring internal proxy failures.
- Added regression coverage across the metrics exporter and proxy rejection paths.
Included PRs
- #624 Add metrics for proxy-generated responses
v0.2.8
Changelog
v0.2.8 is a hardening and bugfix release focused on authorization, rate limiting, TLS verification, transport behavior, metrics handling, and safer config error reporting.
Highlights
- Hardened Redis-backed rate limiting with atomic bucket updates, better key scoping, idle bucket eviction, and timestamp handling fixes.
- Enforced Redis TLS certificate verification.
- Fixed mTLS outgoing transport behavior to preserve default transport settings and handle wrapped transports correctly.
- Tightened authorization behavior around wildcard allowlist matching, token auth prefix enforcement, and dynamically expanded capability rules.
- Improved operational safety by redacting sensitive remote config URLs and config source details in error paths and reload logs.
- Hardened the metrics handler and expanded regression coverage.
- Pinned the Codecov GitHub Action to an immutable commit SHA.
- Cleaned up integration test fixtures and stabilized a flaky transport-related test.
Included PRs
- #623 Redact sensitive parts of remote config URLs in errors and improve fetch error messages
- #622 Clean up integration fixtures with
DeleteIntegration - #621 Normalize dynamically expanded capability rules
- #620 Fix flaky transport mutation assertion in integration tests
- #619 Redact config source in reload failure logs
- #618 Enforce token auth prefix handling
- #617 Restrict wildcard allowlist matching to anonymous callers
- #616 Harden metrics handler behavior
- #615 Fix Redis rate limiter race and bucket handling
- #614 Enforce Redis TLS certificate verification
- #613 Fix mTLS transport behavior
- #612 Fix Redis rate-limiting behavior
- #611 Pin Codecov GitHub Action to an immutable commit SHA
- #610 Fix token-bucket handling issues
- #609 Fix authentication/authorization confusion bug